Federal Circuit Court Goes Its Own Way on Standing in Data Security Class Action

Class action lawsuits alleging data privacy-related violations were quite prevelant in 2011, and observers are expecting that trend to continue, if not expand, in 2012. The Legal Pulse has published a series of posts on one key issue in such suits – what constitutes “harm” in the context of standing to sue – over the past six months, including our final commentary of 2011, Judge “Likes” Plaintiffs’ Arguments, Online Privacy Class Action Proceeds.

One other late 2011 online privacy ruling escaped our attention until recently, Reilly v. Ceridian Corporationfrom the U.S. Court of Appeals for the Third Circuit. In a departure from Seventh and Ninth Circuit rulings in similar cases, Judge Aldisert’s unanimous opinion affirmed a district court’s dismissal of Reilly’s class action for lack of Article III standing to sue.

In 2009, a hacker broke into payroll processing firm Ceridian’s system and potentially accessed names, social security numbers, dates of birth, and account numbers. Investigators couldn’t determine if the hacker read or copied any data. Ceridian clients filed suit alleging emotional distress and financial harm due to the need to closely monitor their credit.

On the threshold issue of standing, Judge Aldisert found that Reilly’s allegations didn’t demonstrate any “actuality” and “imminency” of harm, but relied instead on a string of conjectures. He pointedly wrote:

Unless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.”

Reilly urged the court to follow the reasoning of a 2007 Seventh Circuit ruling, Pisciotta, and a 2010 Ninth Circuit ruling, Krottner. Both circuit panels found the respective data breach plaintiffs had standing to sue. Judge Aldisert distinguished both cases as being “much different” from Reilly on the imminence and impending nature of harm.

Whether the factual situation in Reilly was in fact “much different” certainly is debatable. No doubt, if the Third Circuit panel wished to find standing, it could have found a way to follow the Seventh and the Ninth Circuit rulings. The real problem with those rulings, as Judge Aldisert baldly states, was they relied on flawed, “skimpy rationale(s).” Rather than apply the “generalized data theft situations” to applicable standing jurisprudence, the Pisciotta and Krottner courts “simply analogized data-security-breach situations to defective-medical-device, toxic-substance-exposure, or environmental-injury claims.” Judge Aldisert proceeds to tear that reasoning-by-analogy apart in the remainder of the Reilly opinion.

Reilly‘s emphasis on actual vs. conjectural harm, and its scolding rejection of two other Circuit Court’s rationale on standing, will be quite valuable to future data-breach class action defendants, and helpful to online privacy suit defendants. The ruling also sets up a split of sorts in the federal circuits, but it will likely take quite a few more contrasting outcomes before the U.S. Supreme Court takes the issue on.